ci: add build provenance generation

nikaro · May 17, 2024 · 3062e1d · 3062e1d
1 parent c3336ff
commit 3062e1d
Showing 1 changed file with 30 additions and 5 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,26 +1,51 @@
 name: brew pr-pull
+
 on:
   pull_request_target:
     types:
       - labeled
+
 jobs:
   pr-pull:
     if: contains(github.event.pull_request.labels.*.name, 'pr-pull')
     runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+      pull-requests: write
+      repository-projects: write
+    env:
+      HOMEBREW_NO_AUTO_UPDATE: 1
+      HOMEBREW_NO_INSTALL_FROM_API: 1
+      HOMEBREW_GITHUB_API_TOKEN: ${{ github.token }}
+      HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{ github.token }}
+      HOMEBREW_GITHUB_PACKAGES_USER: ${{ github.actor }}
+      PULL_REQUEST: ${{ github.event.pull_request.number }}
     steps:
       - name: Set up Homebrew
+        id: set-up-homebrew
         uses: Homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master
 
       - name: Set up git
         uses: Homebrew/actions/git-user-config@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master
 
       - name: Pull bottles
+        id: pr-pull
+        run: brew pr-pull --debug --retain-bottle-dir --no-upload --tap="$GITHUB_REPOSITORY" "$PULL_REQUEST"
+
+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-path: "${{ steps.pr-pull.outputs.bottle_path }}/*.tar.gz"
+
+      - name: Upload bottles to GitHub Packages
+        working-directory: ${{ steps.pr-pull.outputs.bottle_path }}
         env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{ github.token }}
-          HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{ github.token }}
-          HOMEBREW_GITHUB_PACKAGES_USER: ${{ github.actor }}
-          PULL_REQUEST: ${{ github.event.pull_request.number }}
-        run: brew pr-pull --debug --retain-bottle-dir --tap="$GITHUB_REPOSITORY" "$PULL_REQUEST"
+          REPO_PATH: ${{ steps.set-up-homebrew.outputs.repository-path }}
+        run: brew pr-upload --debug
 
       - name: Push commits
         uses: Homebrew/actions/git-try-push@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master